Description
Unauthenticated SQL Injection in Funnel Builder by FunnelKit <= 3.15.0.1 versions.
Published: 2026-06-15
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated SQL injection flaw in the Funnel Builder by FunnelKit plugin up to version 3.15.0.1. By sending specially crafted input, an attacker can inject arbitrary SQL statements into the plugin’s database queries. This allows the attacker to read, modify, or delete data stored in the WordPress database, potentially exposing sensitive user information, compromising site functionality, or facilitating further attacks against the underlying web application. The weakness is identified as CWE-89 and scored highly for its impact.

Affected Systems

All installations of the Funnel Builder by FunnelKit plugin with versions 3.15.0.1 or earlier are affected. Administrators should verify the plugin version in use and apply the update to at least 3.15.0.2, which contains the security fix.

Risk and Exploitability

The CVSS score of 9.3 reflects a severe risk, while the EPSS score of less than 1% indicates a low estimated probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit it via the web interface with no authentication required, meaning any visitor to the site can potentially execute arbitrary SQL commands against the database. The scale of the threat is global across all sites running the affected plugin versions.

Generated by OpenCVE AI on June 18, 2026 at 00:49 UTC.

Remediation

Vendor Solution

Update the WordPress Funnel Builder by FunnelKit Plugin to the latest available version (at least 3.15.0.2).


OpenCVE Recommended Actions

  • Update the Funnel Builder by FunnelKit plugin to version 3.15.0.2 or later.
  • Deploy a web application firewall rule that blocks malicious SQL payloads targeting the funnel builder endpoints.
  • Conduct an internal audit of plugin data handling to verify that all inputs are properly sanitized before database interaction.

Generated by OpenCVE AI on June 18, 2026 at 00:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Funnelkit
Funnelkit funnel Builder By Funnelkit
Wordpress
Wordpress wordpress
Vendors & Products Funnelkit
Funnelkit funnel Builder By Funnelkit
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in Funnel Builder by FunnelKit <= 3.15.0.1 versions.
Title WordPress Funnel Builder by FunnelKit plugin <= 3.15.0.1 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Funnelkit Funnel Builder By Funnelkit
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T12:31:15.056Z

Reserved: 2026-04-27T08:22:05.096Z

Link: CVE-2026-42381

cve-icon Vulnrichment

Updated: 2026-06-16T12:31:08.384Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:53.990

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-42381

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:07:22Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')